BoonRisk
Back
Security Trends

AI-Powered Attacks: Why 2025 Was Different

Ilya Pavlov
Ilya Pavlov

Let's talk about what actually happened in 2025.

Vulnerabilities by Year

Vulnerabilities by Year - Source: WPScan Statistics

WordPress vulnerability discoveries hit record numbers in 2025. Not by a small margin. By a lot.

But it's not just about the total number. It's about how these vulnerabilities were discovered.

AI as a Security Tool

In 2024, security researchers started experimenting with AI for code review. By 2025, it was standard practice.

Here's what that looks like in practice:

  • Download a WordPress plugin's source code
  • Feed it to GPT-4 or Claude with a prompt like "analyze this for security vulnerabilities"
  • The AI points out potential issues
  • The researcher verifies and reports confirmed vulnerabilities

    • This process used to take days or weeks. Now it takes hours.

    Result: Way more vulnerabilities discovered. Not because plugins suddenly got worse. Because we got better at finding the issues that were always there.

    The Flip Side

    AI also made it easier to write vulnerable code.

    Developers started using AI assistants to write WordPress plugins. The AI is good at writing functional code. It knows WordPress hooks. It understands PHP syntax. It can generate working plugins in minutes.

    But AI assistants learn from existing code. And a lot of existing WordPress code has security issues. So the AI replicates those patterns.

    Classic example: AI generates database queries using string concatenation instead of prepared statements. It works. It's fast. It's also vulnerable to SQL injection.

    Why This Matters

    If you run a WordPress site, here's what 2025 means for you:

    Vulnerability disclosure is accelerating. Expect more frequent security updates. Expect them to be more critical. Expect exploits to appear faster after disclosure.

    Zero-day windows are shrinking. The time between "vulnerability discovered" and "exploit in the wild" is getting shorter. Days, not weeks.

    Automated attacks are getting smarter. Bad actors are using the same AI tools to scan for vulnerabilities. They're not manually hunting anymore. They're letting AI do it.

    What You Should Do

    Three things:

  • Keep plugins updated. This was always important. Now it's critical. Set up automatic updates if you can. Check weekly if you can't.
  • Remove unused plugins. Every plugin is a potential entry point. If you're not using it, delete it. Not just deactivate. Delete.
  • Know your risk surface. This is where BoonRisk comes in. We can't prevent attacks, but we can show you where you're exposed. Regular security checks aren't optional anymore.

    • The Bigger Picture

    2025 showed us that AI is a double-edged sword for WordPress security.

    It's making security research more effective. That's good.

    It's also making it easier to write vulnerable code and easier to exploit it. That's bad.

    The sites that survive are the ones that stay on top of it.

    Want to understand your WordPress site's risk surface? Try BoonRisk free.

    Continue Reading

    Announcement

    We're in Open Beta!

    2026-01-08

    Security Trends

    2025: The Year AI Changed WordPress Vulnerabilities

    2025-12-28

    Behind the Scenes

    Why We Built BoonRisk

    2025-12-01

    Try BoonRisk

    Free WordPress security assessment. No account required.

    Download Plugin